CVE-2009-3026
Vulnerability from cvelistv5
Published
2009-08-31 20:00
Modified
2024-08-07 06:14
Severity ?
Summary
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
References
cve@mitre.orghttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
cve@mitre.orghttp://developer.pidgin.im/ticket/8131
cve@mitre.orghttp://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279Patch
cve@mitre.orghttp://secunia.com/advisories/37071
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2009/08/24/2
cve@mitre.orghttp://www.securityfocus.com/bid/36368
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/53000
cve@mitre.orghttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070
cve@mitre.orghttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757
af854a3a-2127-422b-91ae-364da2661108http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
af854a3a-2127-422b-91ae-364da2661108http://developer.pidgin.im/ticket/8131
af854a3a-2127-422b-91ae-364da2661108http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279Patch
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/37071
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2009/08/24/2
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/36368
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/53000
af854a3a-2127-422b-91ae-364da2661108https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070
af854a3a-2127-422b-91ae-364da2661108https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T06:14:55.553Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "36368",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/36368"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://developer.pidgin.im/ticket/8131"
          },
          {
            "name": "37071",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/37071"
          },
          {
            "name": "[oss-security] 20090824 CVE id request: pidgin",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2009/08/24/2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891"
          },
          {
            "name": "pidgin-libpurple-weak-security(53000)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53000"
          },
          {
            "name": "oval:org.mitre.oval:def:5757",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757"
          },
          {
            "name": "oval:org.mitre.oval:def:11070",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-08-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the \"require TLS/SSL\" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-18T12:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "36368",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/36368"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://developer.pidgin.im/ticket/8131"
        },
        {
          "name": "37071",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/37071"
        },
        {
          "name": "[oss-security] 20090824 CVE id request: pidgin",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2009/08/24/2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891"
        },
        {
          "name": "pidgin-libpurple-weak-security(53000)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53000"
        },
        {
          "name": "oval:org.mitre.oval:def:5757",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757"
        },
        {
          "name": "oval:org.mitre.oval:def:11070",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-3026",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the \"require TLS/SSL\" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "36368",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/36368"
            },
            {
              "name": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279",
              "refsource": "CONFIRM",
              "url": "http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279"
            },
            {
              "name": "http://developer.pidgin.im/ticket/8131",
              "refsource": "CONFIRM",
              "url": "http://developer.pidgin.im/ticket/8131"
            },
            {
              "name": "37071",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/37071"
            },
            {
              "name": "[oss-security] 20090824 CVE id request: pidgin",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2009/08/24/2"
            },
            {
              "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891",
              "refsource": "CONFIRM",
              "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891"
            },
            {
              "name": "pidgin-libpurple-weak-security(53000)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53000"
            },
            {
              "name": "oval:org.mitre.oval:def:5757",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757"
            },
            {
              "name": "oval:org.mitre.oval:def:11070",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-3026",
    "datePublished": "2009-08-31T20:00:00",
    "dateReserved": "2009-08-31T00:00:00",
    "dateUpdated": "2024-08-07T06:14:55.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-3026\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-08-31T20:30:01.140\",\"lastModified\":\"2024-11-21T01:06:20.417\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the \\\"require TLS/SSL\\\" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.\"},{\"lang\":\"es\",\"value\":\"protocols/jabber/auth.c en libpurple en Pidgin v2.6.0, y posiblemente otras versiones, no siguen las preferencias \\\"requeridas en TSL/SSL\\\" cuando se conectan a un servidor Jabber viejo, que no siguen las especificaciones XMPP, lo que provoca que libpurple se conecte al servidor sin el cifrado esperado y permita  a atacantes remotos poder esp\u00edar la sesi\u00f3n.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8321D92-B935-4C2A-81B1-5984BFF4FD57\"}]}]}],\"references\":[{\"url\":\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://developer.pidgin.im/ticket/8131\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://secunia.com/advisories/37071\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2009/08/24/2\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/36368\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53000\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://developer.pidgin.im/ticket/8131\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://secunia.com/advisories/37071\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2009/08/24/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/36368\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/53000\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"Red Hat has released updates to correct this issue:\\nhttps://rhn.redhat.com/errata/RHSA-2009-1453.html\",\"lastModified\":\"2009-09-22T00:00:00\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.